You are here: Technician's functions > The Network Injector > What you should know about Network Injector and its rules

What you should know about Network Injector and its rules

Introduction

Network Injector monitors all the HTTP connections and, following the injection rules, identifies the target's connections and injects the agent into the connections, linking it to the resources the target is downloading from Internet.

Types of resources that can be infected

Resources that can be infected by RCS are any type of files.

NOTE: Network Injector is not able to monitor FTP or HTTPS connections.

How to create a rule

To create a rule:

  1. define the way to identify the target's connections. For example, by matching the target's IP or MAC address. Or let the Tactical Network Injector operator select the device.
  2. define the way to infect the target. For example, by replacing a file the target is downloading from the web or by infecting a website the target usually visits.
What happens when a rule is enabled/disabled

Enabling a rule means making it available to the Network Injector injection process. RCS routinely communicates with Network Injector to send rules and acquire logs. The operator is in charge of enabling this synchronization for Tactical Network Injector.

A rule that is not enabled is not applicable meaning it cannot be sent to the Network Injector.

Automatic or manual identification rules

If information is already known on target devices, numerous rules can be created, adapting them to the target's different habits, then enabling the most efficient rule or rules according to the situations that arise during a certain time in the investigation.

If no information is known on target devices, use Tactical Network Injector which allows operators to observe the target, identify the device used and infect it since on the field.

For this type of manual identification, specify TACTICAL in the User patterns field.

Starting the infection

After Network Injector receives the infection rules, it is ready to start an attack.

During the sniffing phase, it checks whether any of the devices in the network meets the identification rules. If so, it sends the agent to the identified device and infects it.

RCS8.2 | User's and Installation Guide | © COPYRIGHT 2012